CryptGetUserKey fails with 8009000d

From: Daniel (no_spam_sonofsmog_at_no_spam_hotmail.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 09:26:56 -0700

Hi All.

I have written a Active X DLL in VB to take care of some cryptography
functions I need performed by my ASP app (actually it modifies a nice little
class I found somewhere.)

The only functions I need the DLL to perform are impoting and signing
strings with a private key and importing a public key and encrypting
strings.

The first problem I had was getting CryptAcquireContext to work on the
TARGER SERVER because the security context that the application was running
in did not have access to a use profile. Thanks to Microsoft Q238187 I was
able to get a container like so:

 '
 ' try to acquire the existing container
 '
 lngReturnValue = CryptAcquireContext(hCryptProv, "Container" & vbNullChar,
SERVICE_PROVIDER, PROV_RSA_FULL, _
                                    CRYPT_MACHINE_KEYSET)
 If lngReturnValue = 0 Then
         '
         ' Try to make a new key container
         '
         lngReturnValue = CryptAcquireContext(hCryptProv, "Container" &
vbNullChar, SERVICE_PROVIDER, PROV_RSA_FULL, _
                                              CRYPT_NEWKEYSET Or
CRYPT_MACHINE_KEYSET)
     If lngReturnValue = 0 Then Err.Raise Err.LastDllError, , "DLL error
code shown above. Error during CryptAcquireContext for a new key container."
 End If

The first call succeeds. I am never able to successfully make a new
container.

However after that I am able to successfully call decrypt and import the
signature key (using CryptImportKey) and use it to sign some text ( using
CryptCreateHash and CryptSignHash)
there is no problem.

The problem arises when I attempt to import a Public Encryption key.
CryptImportKey succeeds fine, but CryptGetUserKey fails with error 8009000d.

I think the problem obviously has something to do with Calling
CryptAcquireContext with CRYPT_MACHINE_KEYSET.

If I edit the account used for anonymous access on the page and set it to an
account that is logged in (like mine) then I don't need to use
CRYPT_MACHINE_KEYSET I can create a new
container with CRYPT_NEWKEYSET and everything works fine.

Any help would be greatly appreciated. 

-- 
Daniel

Relevant Pages

  • Re: SMS Site Component Manager
    ... Giving full control to the System container allows the site server's ... computer account for the primary site server has Full Control to the System ... Management container and all of it its child objects (note that there is no ... I am new to SMS and have setup a windows 2003 server, ...
    (microsoft.public.sms.setup)
  • Re: Creating SMS Containers in Active Directory HELP
    ... you can manually create it and set permissions for the SMS computer ... account or group by using ADSIEdit. ... > to create the System Management container and its child objects. ...
    (microsoft.public.sms.setup)
  • Re: Systems container in AD and SMS
    ... computer$ account had been granted permissions to the system management ... to the SMS Service Account and if you aren in advanced security you grant ... Make sure you grant the permissions for that container AND all child ...
    (microsoft.public.sms.admin)
  • Re: Corrupt Active Directory User
    ... This is the default USERS container, not an OU that you have created, ... the standard question - what is going on with DNS? ... Indeed it is only one account. ...
    (microsoft.public.win2000.active_directory)
  • Re: Error message about SLP account
    ... On the systems container check to make sure the SMSService account (machine ... Then on the advanced tab verify that the account has full rights to this ... > "System Management" container, and all child objects in Active Directory. ...
    (microsoft.public.sms.admin)